This week is a follow-up on last week. Last week the focus was on providing an example for monitoring the Apple MDM push certificate with Azure Logic Apps and Adaptive Cards for Teams and this week the focus is on providing more endpoints in Microsoft Graph that can be used for monitoring all different connectors, certificates and tokens. This blog post will provide a collection of the different endpoints, the properties to verify and example queries to use. All summarized in tables, including links to the documentation. The following connectors, certificates and tokens are addressed within this post.
Note: This list of connectors, certificates and tokens is made based on the information available within Microsoft Endpoint Manager admin center (Tenant administration > Connectors and tokens). Please leave a comment when a connector, certificate, or token is missing and should be added.
- Remote help
- Microsoft Store for Business
- Windows enterprise certificate
- Windows DigiCert certificate
- Windows side loading keys
- Microsoft Endpoint Configuration Manager
- Apple MDM push certificate
- Apple VPP tokens
- Apple DEP tokens
- Managed Google Play
- Microsoft Defender for Endpoint
- Mobile Threat Defense
- Partner device management
- Partner compliance management
- TeamViewer connector
- Certificate connectors
- Telecom expense management
- Windows Autopilot
Important: Most of the information provided in this post is verified and tested, but in some cases the connectors, certificates, or tokens were not available. In those case a few logic assumption are used – based on the documentation and experiences with other connectors, certificates, or tokens. Please leave a comment when information is not correct.
Connectors, certificates and tokens
Remote help
Remote help is provided as a connector in the Tenant administration > Connectors and tokens > Remote help overview. That connector is used for providing remote assistance in Microsoft Intune. However, as it’s directly integrated in Microsoft Intune there is no further status information. It also doesn’t contain a single endpoint that is queried to provide information.
Microsoft Store for Business
Microsoft Store for Business is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Store for Business overview. That connector is used for synchronzing apps from Microsoft Store for Business to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status of the apps was longer than a few days ago.
Connector (docs) | Microsoft Store for Business |
url | https://graph.microsoft.com/beta/deviceAppManagement |
Property | Use microsoftStoreForBusinessLastSuccessfulSyncDateTime to monitor the last successful sync |
Example check | microsoftStoreForBusinessLastSuccessfulSyncDateTime is greater than addToTime(utcNow(),2,’day’) |
Windows enterprise certificate
Windows enterprise certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows enterprise certificate overview. That certificate is used for sideloading LOB apps on Windows 10 devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate near (within the next 30 days).
Connector (docs) | Windows enterprise certificate |
url | https://graph.microsoft.com/beta/deviceAppManagement/enterpriseCodeSigningCertificates |
property | Use expirationDateTime to monitor the expiration of the certificate |
Example check | expirationDateTime is less than addToTime(utcNow(),30,’day’) |
Windows DigiCert certificate
Windows DigiCert certificate is provided as a certificate in the Tenant administration > Connectors and tokens > Windows DigiCert certificate overview. That certficate was required for distributing LOB apps to Windows 10 Mobile devices and that page provides an overview of the status of the uploaded certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days.
Connector (docs) | Windows DigiCert certificate |
url | https://graph.microsoft.com/beta/deviceAppManagement/symantecCodeSigningCertificate |
property | Use expirationDateTime to monitor the expiration of the certificate |
Example check | expirationDateTime is less than addToTime(utcNow(),30,’day’) |
Windows side loading keys
Windows side loading keys are provided as keys in the Tenant administration > Connectors and tokens > Windows side loading keys overview. Those keys were used for deploying LOB apps to Windows 8.1 devices and that page provides an overview of the added keys and the total activations. There is no status to monitor of side loading keys.
Connector (docs) | Windows side loading keys |
url | https://graph.microsoft.com/beta/deviceAppManagement/sideLoadingKeys |
property | – |
Example check | – |
Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager overview. That connector is used for getting device information of Configuration Manager and that page provides an overview of the status information of the attached Configuration Manager environment. The information, however, isn’t available via the Microsoft Graph.
Apple MDM push certificate
Apple MDM push certificate is provided as a certificate in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Apple MDM push certificate overview. That certificate is used for managing devices with Microsoft Intune and that page provides an overview of the status of the push certificate. The information below can be used to monitor if the expiration date of that certificate is near (within the next 30 days).
Connector (docs) | Apple MDM push certificate |
url | https://graph.microsoft.com/beta/deviceManagement/applePushNotificationCertificate |
property | Use expirationDateTime to monitor the expiration of the certificate |
Example check | expirationDateTime is less than addToTime(utcNow(),30,’day’) |
Apple VPP tokens
Apple VPP tokens are provided as tokens in the Tenant administration > Connectors and tokens > Apple VPP tokens overview. Those VPP tokens are used for synchronizing apps (and licenses) from Apple to Microsoft Intune and that page provides an overview of the status of those tokens. The information below can be used to monitor if the last sync status is failed and to monitor if the expiration date of that token is near (within the next 30 days).
Connector (docs) | Apple VPP tokens |
url | https://graph.microsoft.com/beta/deviceAppManagement/vppTokens |
properties | Use lastSyncStatus to monitor the last sync status Use expirationDateTime to monitor the expiration of the token |
Example checks | lastSyncStatus is equal to failed expirationDateTime is less than addToTime(utcNow(),30,’day’) |
Apple DEP tokens
Enrollment program tokens are provided as tokens in the Devices > iOS/iPadOS devices > iOS/iPadOS enrollment > Enrollment program tokens overview. Those enrollment program tokens are used synchronizing devices to Microsoft Intune and that page provides an overview of the (sync) status of those tokens. The information below can be used to monitor if the last sync status is not succesful and to monitor if the expiration date of that token is near (within the next 30 days).
Connector (docs) | Apple DEP tokens |
url | https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings |
properties | Use lastSyncErrorCode monitor the last sync status Use expirationDateTime to monitor the expiration of the token |
Example checks | lastSyncErrorCode is not equal to 0 expirationDateTime is less than addToTime(utcNow(),30,’day’) |
Managed Google Play
Managed Google Play is provided as a connector in the Tenant administration > Connectors and tokens > Managed Google Play overview. That connector is used for synchronzing apps from Managed Google Play to Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last sync status is not successful.
Connector (docs) | Managed Google Play |
url | https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings |
property | Use lastAppSyncStatus to monitor the last sync status |
Example check | lastAppSyncStatus is not equal to success |
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is provided as a connector in the Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint overview. That connector is used for retrieving compliance information of Microsoft Defender for Endpoint in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.
Connector (docs) | Microsoft Defender for Endpoint |
url | https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors |
properties | Use partnerState to monitor the state of the connection Use lastHeartbeatDateTime to monitor the last heartbeat of the connection |
Example checks | partnerState is not equal to enabled lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’) |
Mobile Threat Defense
Mobile Threat Defense is provided as a connector in the Tenant administration > Connectors and tokens > Mobile Threat Defense overview. That connector is used for retrieving compliance information of the mobile threat defense partner in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.
Connector (docs) | Mobile Threat Defense |
url | https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors |
properties | Use partnerState to monitor the state of the connection Use lastHeartbeatDateTime to monitor the last heartbeat of the connection |
Example checks | partnerState is not equal to enabled lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’) |
Partner device management
Partner device management is provided as a connector in the Tenant administration > Connectors and tokens > Partner device management overview. That connector is used for retrieving compliance information of Jamf-managed macOS devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.
Connector (docs) | Partner device management |
url | https://graph.microsoft.com/beta/deviceManagement/deviceManagementPartners |
properties | Use partnerState to monitor the state of the connection Use lastHeartbeatDateTime to monitor the last heartbeat of the connection |
Example checks | partnerState is not equal to enabled lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’) |
Partner compliance management
Partner compliance management is provided as a connector in the Tenant administration > Connectors and tokens > Partner compliance management overview. That connector is used for retrieving compliance information of partner-managed devices in Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the that connection is available and if the latest heartbeat is no longer than a few days ago.
Connector (docs) | Partner compliance management |
url | https://graph.microsoft.com/beta/deviceManagement/complianceManagementPartners |
properties | Use partnerState to monitor the state of the connection Use lastHeartbeatDateTime to monitor the last heartbeat of the connection |
Example checks | partnerState is not equal to enabled lastHeartbeatDateTime is greater than addToTime(utcNow(),2,’day’) |
TeamViewer connector
TeamViewer connector is provided as a connector in the Tenant administration > Connectors and tokens > TeamViewer connecctor overview. That connector is used for integrating TeamViewer remote assistance with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.
Connector (docs) | TeamViewer connector |
url | https://graph.microsoft.com/beta/deviceManagement/remoteAssistancePartners |
property | Use onboardingStatus to monitor the status of the onboarding Use lastConnectionDateTime to monitor the moment of the last connection |
Example check | lastConnectionDateTime is greater than addToTime(utcNow(),2,’day’) |
Certificate connectors
Certificate connector is provided as a connector in the Tenant administration > Connectors and tokens > Certificate connecctor overview. That connector is used for integrating certificate deployment via NDES with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the state of that connection is active.
Connector (docs) | Certificate connectors |
url | https://graph.microsoft.com/beta/deviceManagement/ndesConnectors |
property | Use state to monitor the state of the connector |
Example check | state is not equal to active |
Telecom expense management
Telecom expense management is provided as a connector in the Tenant administration > Connectors and tokens > Telecom expense management overview. That connector is used for integrating telecom roaming data with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the last connection was longer than a few days ago.
Connector (docs) | Telecom expense management |
url | https://graph.microsoft.com/beta/deviceManagement/telecomExpenseManagementPartners |
property | Use lastConnectionDateTime to monitor the moment of the last connection |
Example check | lastConnectionDateTime is greater than addToTime(utcNow(),2,’day’) |
Windows Autopilot
Windows Autopilot is provided as a connector in the Devices > Windows devices > Windows enrollment > Devices overview. That connector is used for integrating Autopilot device information with Microsoft Intune and that page provides an overview about the connection status. The information below can be used to monitor if the sync state is something positive.
Connector (docs) | Windows Autopilot |
url | https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings |
property | Use syncStatus to monitor the status of the last sync |
Example check | syncStatus is not equal to completed or syncStatus is not equal to inProgress |
Hi, this is really nice and helpful. In the case of VPP or enrolment, does it apply for one only or all the registered certificates!?
Hi Pk,
It returns all. So, you probably have to loop through them to perform an action.
Regards, Peter
With the Windows Autopilot one, the example check should be syncStatus is not equal to completed OR syncStatus is not equal to inProgress, otherwise it will always be false as I’ve just found out. 🙂
Thank you Louie! You’re absolutely correct. I just adjusted it.
Regards, Peter
Hi Peter,
I am having trouble with the VPP. Seems that the Schema is not returning data correct. The adaptive card just returns no values, even though the dynamic content does return values and I am in a bit lost here. Any advice?
Hi John,
Keep in mind that it probably returns an array (or at least multiple records) that you need to loop through.
Regards, Peter